On Sat, 6 May 2006 23:53:59 -0400 "Hector Santos"
<spf-discuss(_at_)winserver(_dot_)com> wrote:
----- Original Message -----
From: "Julian Mehnle" <julian(_at_)mehnle(_dot_)net>
Hector Santos wrote:
Too bad I was out of the loop when this decision was made.
Thats a major difference in SPF implementations and now you see the
effect for large SPF organization/networks wishing to support SPF.
It was also a major security hole in the old SPF specification that
needed
to be fixed.
I don't disagree with the need for a fix. I disagree with the low ball SWAG
of 10 limit for lookup mechanisms. It is too low IMO and I would venture
a
PERMERROR is premature for many older SPF large organizations records. For
all intent and purpose it places an artificial limit on the total domains
(10) a large site may use.
No it doesn't. It says that beyond a certain level of complexity the
outbound network needs to be described in terms of IP addresses or using
exists:.
I'd encourage you to go back and review the archives. While 10 was arrived
at emperically based on list consensus, there is more to it than a swag.
There are ways to deal with this. As an example, query the a records for
relay.pair.com. That's one mechanism that covers several physical boxes.
Julian already mentioned exists:. The limits can be worked within. Now
that the RFC is out, both records and SPF libraries need to be updated to
conform to it.
Again:
Classic SPF(Microsoft) = SoftFail
Current SPF(Microsoft) = PermError
Yes. They need to update.
It has nothing to do with a interoperability issue but a "human SWAG"
artificial limit. Again, this is not a recursive issue where there was a
real security hole concern.
No, it was a DOS concern. Please see the list archives.
I would think, that if I was in the loop when this was being decided, I
would suggested that the end result should be the same. If other words, if
the complete exhausted result is a SOFTFAIL, then the cut off would be a
SOFTFAIL as well.
This gets into how one deals with an error (not is there an error). That's
a matter of receiver policy and a good topic for a BCP type document.
Anyway, what's written is written. I would love to see what Microsoft has
to say or what they end up correcting it with. Scott, have you contacted
them yet?
No, but I will.
Scott K
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com